In the past year, I have noticed a large increase in websites that are being affected by the WP-VCD malware and to be honest, this is getting out of hand and I don’t like it. Not one bit.
Let us talk about what it is and how to get rid of it.
The WP-VCD infection is a type of malware that is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites, and it’s unique in the way it propagates into sites, once deployed, it executes extensive command and control (C2) infrastructure with self-healing infections that allow attackers to maintain a persistent foothold on the infected sites.
How does this affect you and your site?
When your site is infected, hackers usually use your account’s resources to carry out their malicious activities and that can slow down your website and all the other websites sharing the same server. This means that if your host detects malware on your site, they will suspend it immediately. The other sites on the same server are at risk of getting infected too as this infection can spread to all sites using the same hosting directory.
Furthermore, Google will blacklist your site to protect visitors from entering your malware-infected website.
Once the WP-VCD malware is inside your site, it enables the hacker to have complete control. They can silently create spam URLs on your website which are hard to detect. They can redirect your traffic, send spam emails, create a pop-up advertisement and a whole lot more.
This notorious malware can create an admin user and a backdoor, allowing hackers to get access to your entire website forever. Even though you can find and delete the malicious code, you’ll see it appear again multiple times!
Where do the majority of these nulled themes come from?
So what happens is a few amoral people purchase themes from legit websites then boobytrap them with malware. On the same sites, they offer free downloads of popular commercial themes, usually sold on private stores or popular sites like ThemeForest or CodeCanyon.
If you downloaded a theme from any of the above websites, you are in serious trouble;
How to identify a WP-VCD malware infection on your site?
Identifying this malware can be tedious as it can get quite technical. You can access your WordPress Core files by logging in to your hosting account and using your File Manager (or Filezilla, if you do not have a usable file manager)
Identify this malware using these methods:
1. Check if a new WordPress Admin user with a funny username that you do not recognise has been added on your site without your knowledge.
2. Compare the Core Files of your website with the original WordPress version:
- Step 1: Open the Core files (wp-admin and wp-includes) of your infected site.
- Step 2: Download the WordPress Version used by your site from wordpress.org. Open its Core files.
- Step 3: Compare the Core files of your site with that of the original WordPress version. Check if files like wp-vcd.php and wp-tmp.tmp have been injected into your sites core files.
Most of these files can contain a code that looks a little something like
]) && isset(
]) && (
3. Check if some pages on your website are being automatically redirected to unsolicited websites.
4. Do a Google search for your website brand name and observe if any SEO spam such as Japanese search results or Pharma attack shows up in the search results.
How to Remove It.
Note: This method would require you to modify or delete some WordPress core files. This may affect the functionality of your website if not done correctly.
Follow these steps for cleaning the infection:
Step 1: Locate the infected files
We have already discussed the different ways to identify the infected files in the previous section. To quickly summarise:
Compare the Core files of your site with the files of the original WordPress version.
Compare the Core files of your site with those of a Previous Clean Version
Identify any unusual PHP files in the Core Files
Compare your themes and plugins files with their corresponding version in the theme/plugin directory
Identify any new files or any changes made in file contents
Step 2: What files should you check for?
Wp-vcd.php and Wp-tmp.php in the wp-includes folder
Functions.php across all themes in wp-content/themes/* folder (including the ones that are not active)
Class.wp.php (usually inside the main theme folder)
Step 3: Manually search and remove these string patterns commonly found in Infected Files;
Code.php in the derna.top folder
Step 4: Delete the admin accounts that you do not recognise created by the malware.
Step 5: Delete all inactive themes and plugins
The simplest way to do this is by using WordFence which can be found from the WordPress store. Primarily it will scan for the malware and quarantine it, deleting and getting rid of it will be up to you.